CSCI361

Computer Security

Public Key Cryptography I

Introduction and knapsacks
 Outline
 Drawbacks of symmetric key crypto.
 Public Key Cryptography (PKC).
 Assessing security.
 One-way trapdoor functions.
 Knapsacks.
– For encryption.
– Super-increasing knapsacks.
– Trapdoor knapsacks.
 Finding inverses, GCD’s.
 The Euclidean and Extended Euclidean Algorithms.
Drawbacks of symmetric key crypto
 So far we have studied symmetric key cryptosystems
were the transmitter and receiver have the same key.
 They are also called
– Private key cryptosystems
– Secret key cryptosystems
– Conventional cryptosystems
but we will generally stick to the term symmetric.
 Key management, that is, generating good keys, distributing
and storing them in a secure way, is a bottleneck in
symmetric key cryptography.
 Example: For a network of N computer terminals, with
pairwise secret keys, the total number of secret keys is N(N-
1)/2. For N=100 there are 4950 keys, with 99 at each
terminal and two copies of each across the network.
 Another significant drawback of symmetric key
cryptography is that the encryption is not identified
with an individual, it doesn’t provide authenticity.
We will later see they are not they cannot directly
provide what are referred to as digital signatures.
Services such as non-repudiation cannot be
achieved.
– A non-repudiation service provides Alice protection
against Bob later denying that some communication
exchange took place. It allows the elements of the
communication exchange to be linked with the transmitter.
– In such a service Alice will have irrefutable evidence to
support her claim.
 In symmetric key cryptography the secret information
is shared between Alice and Bob, so whatever Alice
can do Bob can do too.
– To provide a non-repudiation service a trusted authority is
required.
 Public key cryptography
 Diffie-Hellman (1975).

 Public Key Cryptography (PKC) provides solutions to

both of the problems mentioned.

 In a PKC:
– The encryption and decryption keys are different.
– The decryption key cannot be deduced from the encryption key.

 That is, keys come in pairs, (z, Z), where z is the private
and Z is the public component of the key.
 Each pair of keys satisfies the following two
properties:
– A plaintext encrypted with Z can be decrypted with z. That is
z determines the inverse of the encryption with key Z.
– Given a public key Z it is computationally infeasible to
discover the corresponding decryption key z.

 The first property is needed in all cryptosystems:

Decryption is the inverse of encryption.
Dz(EZ(X)) = X

 In secret key cryptography z can be easily obtained

from Z.
 Example: In DES decryption sub-keys are the same
as encryption sub-keys but applied in reverse order.
 Once Z is known, z can be calculated and algorithms
EZ and Dz are both known. In PKC, knowledge of EZ
does not imply knowledge of Dz.
 A PK cryptosystem can provide confidentiality,
because only the receiver can decrypt and find the
plaintext, and authenticity, because only the
sender can create such a cryptogram.

 In a PKC, user Alice has a pair of keys.

– Public component ZA generates a public transformation
EZA for encryption.

– Private component zA generates a private transformation

DzA for decryption.
 A public directory contains a list of public
keys, including a row for Alice.

Alice ZA
Bob ZB
Fred ZF
Oscar ZO
…
…
 If Bob wants to send a message X to Alice, he checks the public
directory to find Alice’s public key, and forms the following
cryptogram:

Y= EZA (X)

 Alice can recover the message using her private key, as in

DzA(Y) = DzA(EZA(X))
=X
Assessing security in PK systems

 Since EZ is public the enemy can choose a

plaintext and find the corresponding
ciphertext. Hence a PKC should be
assessed under chosen-plaintext attack.

 How can we construct a PKC which is

resistant to such an attack?
– PKC’s can be realized by using trapdoor one-
way functions.
 One-way trapdoor functions
 A function f is called one-way if
– for all X finding f(X) is easy.
– knowing f(X) it is hard to find X.
 Example: Given n primes p1, p2, … , pn, it is easy to find
their product
N= p1p2…pn.

 Given a large number N it is difficult to find its prime factors.

 A trapdoor is a piece of knowledge which makes it easier to

find X from f(X).

 A trapdoor one-way function is a function which looks like

a one-way function but is equipped with a secret trapdoor.
If this secret door is known, the inverse can be easily
calculated.
 A trapdoor one-way function can be used to realize a
PKC:

 EZ is easy to compute (from the public component of

the key Z) but is hard to invert.

 Knowledge of z, which is the private component of the

key (i.e. it is the trapdoor), allows easy computation of
Dz (inverting EZ).

 We are going to look at two examples of building

trapdoors in one-way functions. The first one has failed
(knapsacks) and the second one has provided us with
the most important PK cryptosystem (RSA).
 Knapsacks
 The knapsack problem is derived from the notion
of packing an odd assortment of packages into a
container:

 Find a subset of packages that fills the container.

 In general, there is no efficient way of finding the
subset: You have to try all possibilities.
 Alternatively:
– We are given an ordered set of n positive integers ai, 1  i  n, and a
target number T.
– The ordered set of positive integers is referred to as a cargo vector.
– The knapsack problem is to find a subset S  {1,…n} such that

a
iS
i T

 This is also called the subset-sum problem. This is known to

be a difficult problem as there is no algorithm more efficient
than exhaustive search in the general case.

 Example: (a1,a2,a3,a4)=(2,3,5,7) and T=7.

Solutions: (1,0,1,0), (0,0,0,1).

 Note: In general we may have more than one solution.

 Knapsacks for encryption
 Knapsacks are implemented as block ciphers. For a
block size of n bits we require a key or cargo vector, of
positive integers ai, 1  i  n, referred to as weights.
a = (a1, a2, a3, ..., an)

 Then to encrypt a message block of n bits:

X = (x1, x2, x3, ..., xn)
we find the number
n
T   xi ai
i 1
and write it in a binary representation.
 To decrypt: The receiver knows T and all ai, so
goes through all possible plaintext blocks to find a
block that satisfies the condition.

 In this system:
– Encryption is easy and requires n additions.
– Decryption is difficult, even if the key is known.

 Hence the resulting cryptosystem is not useful.

 To construct an acceptable cryptosystem, Merkle &

Hellman (1977) used a special case of the
knapsack problem, involving super-increasing
knapsacks, where decryption is easy with the key.
 Super-increasing knapsacks
 A knapsack is super-increasing if each element of
the cargo vector is greater then the sum of the
preceding elements.
 Example: a=(1,2,4,8)
Given T=14 say, it is easy to find X=(x1,x2,x3,x4)
such that x1+2x2+4x3+8x4=14.
i ai Total In?
4 8 14 1
X=0111
3 4 6 1
2 2 2 1
1 1 0 0
 At each step the current target value with the
largest unchecked element ai of the cargo vector
a. If the current target value is larger that element
of the cargo vector must be included element (i.e.
xi=1) otherwise it cannot be (i.e. xi=0).
 Example: a=(171,197,459,1191,2410), T=3798.
 What is X=(x1,x2,x3,x4,x5)?
i ai Total In?
5 2410 3798 1
4 1191 1388 1
3 459 197 0 X=01011
2 197 197 1
1 171 0 0
 As described the super-increasing knapsacks could be
used as a symmetric key cryptosystem.

 But super-increasing knapsacks cannot be used directory

for public key cryptography, because making the
encryption key public allows everyone to decipher X!

 The idea of Merkle and Hellman (1977) was to start with an

easy knapsack and then disguise it to look difficult for
people without knowledge of the trapdoor.

 The trapdoor will only be known by the person who wants

to decrypt the cryptogram. It will be their private key.
 Trapdoor knapsacks
 Alices chooses a super-increasing knapsack,
a=(a1,a2,…,an), as her private key. n

 Then she chooses an integer m   a , called

i 1
i

the modulus, and a random integer w, called

the multiplier, which is relatively prime to m.
Relatively prime means the largest common
factor of w and m is 1. This condition implies
there exists an inverse of w modulo m.
– Note that if m is prime, then w can be any number.
 Alice’s public key is b where
b=(b1,b2,…,bn) and bi=w*ai mod m
 Alice publishes a permuted version of b as
her public key. Her secret key is (a,m,w).
 To encrypt: Bob sends a message X to Alice
by computing n
T   xi bi
i 1

 To decrypt: Alice receives T and …

– Uses the inverse of w, w-1, to calculate
R=w-1T mod m.
– Uses the easy knapsack a to find X, since R=a.X
 1
R  w T (mod m)
n
w 1
 b x (mod m)
i 1
i i

n
w 1
 (wa )x (mod m)
i 1
i i

n
  ( w1wai )xi (mod m)
i 1
n
  ai xi (mod m)
i 1

 a. X
Brute force attack
 For those who do not know the secret
trapdoor, decryption requires an exhaustive
search through all 2n possible X.

 Example:
 Earlier we had: a=(171,197,459,1191,2410)
 Let w = 2550 and m = 8443.
b=(5457, 4213, 5316, 6013, 7439) is the
public cargo vector.
Multiple layers and the fall of knapsacks
 The disguising process can be repeated a number of times on
the cargo vector to create more and more difficult knapsack
problems (w1, m1), (w2, m2),... . The result is, in general, not
equivalent to a single (w, m) transformation.
 Adleman (1982) broke the knapsack cryptosystem by taking a
public cargo vector and finding a pair (w', m') that would
convert it back to a super-increasing cargo vector sufficient for
decrypting encrypted messages. It didn’t haven’t to be the
same one used as the private key.
 Merkle was confident enough that the multiple layers were still
secure to offer a reward of $1000 to anyone who could break
a multiple layer knapsack.
 In 1984, Brickell announced the destruction of a knapsack
system, with 40 iterations and a hundred weights (elements of
the cargo vector), in about one hour of Cray-1 time.
– Merkle gave him the money 
Finding inverses:
The Extended Euclidean Algorithm

 Constructing trapdoors in knapsacks

requires finding inverses of w modulo m.
 Inverses exists if w and m do not have any
common factor.
 To find w-1 such that w-1w = 1 mod m we
will use the Extended Euclidean Algorithm.
– Before doing so it is instructive to look at the
Euclidean algorithm.
 GCD’s and the Euclidean Algorithm
 The greatest common divisor (GCD) of two
integers n1 and n2, not both zero, is the
largest integer that divides n1 and n2.
 It is denoted gcd(n1,n2).
 Example: gcd(30, 15) = 15
gcd(30, -12) = 6
 We can calculate the gcd using an algorithm
of Euclid.
 Euclidean Algorithm
1) Divide the larger number by the smaller and retain the
remainder.
2) Divide the smaller original number by the remainder, again
retaining the remainder.
3) Continue dividing the prior remainder by the current
remainder until the remainder is zero, at which point the
last (non-zero) remainder is the greatest common divisor.
 Example: gcd(84,49).
84/49  remainder 35.
49/35  remainder 14.
35/14  remainder 7.
14/7  remainder 0.
Therefore gcd(84,49)=7.
Extended GCD for integers

The Extended GCD Theorem for Integers

states:
Given integers n1 and n2, not both
zero, there exist integers a and b
such that
gcd(n1,n2)=a*n1+b*n2
 These integers are not necessarily unique though.
 Example:
gcd(15,12) = 3 = (+1)*15+(-1)*12
= (+1-12)*15+ (-1+15)*12
= (-11)*15+(+14)*12
If gcd(w,m)=1 then it means that we can find the
inverses n1 mod n2 and n2 mod n1.
gcd(n1,n2)=a*n1+b*n2=1
 Example:
gcd(65,14) = 1 = (-3)*65+(14)*14
 14*14=1 (mod 65)
 The Extended
Euclidean algorithm
calculates a, b and START

g=gcd(n1,n2) such n1, n2

that g=a*n1+b*n2. n1>0

Initialisation:
a1 =1, b1=0
UPDATE: a2=0, b2=1
n1=n2
n2=r Compute quotient q
t=a2 and remainder r
a2=a1-q* a2 when n1 is divided by n2
g=n2
a1=t
No Yes a=a2
t=b2 r=0
b=b2
b2=b1-q*b2
b1=t
g, a, b
 Find gcd(39,11) and a,b : 39a+11b=gcd(39,11)

n1 n2 r q a1 b1 a2 b2
Initialise
39 11 6 3 1 0 0 1
11 6 5 1 0 1 1 -3
6 5 1 1 1 -3 -1 4
5 1 0 5 -1 4 2 -7

gcd(39,11)=1 1=39*2+11*(-7)
Example: PKC using a trapdoor knapsack

 Secret key a=(2, 5, 10, 21).

 Trapdoor: m=39>38 (sum of weights).
– Random w, w=15.
– gcd algorithm, gcd(39,15)=3≠1
– Another w, w=11.
– gcd(39,11)=1
– Inverse of 11 mod 39 = 32
(32 = -7+39)
 Using w=11 and m=39 disguise a.
b1=2*11=22 (mod 39)
b2=5*11=16 (mod 39)
b3=10*11=32 (mod 39)
b4=21*11=36 (mod 39)
 Public key: b=(22, 16, 32, 36).

 Secret key: a=(2, 5, 10, 21).

(w,m)=(11, 39)
(remember also that w-1=32)
 To decrypt a message T=48…
– Find R = 48*32 mod 39 = 15
– Use the cargo vector a to decrypt R and find
X=(0, 1, 1, 0).

– We see this agrees with the public key version

too (16+32=48).
– In useful sized examples it would be not trivial
to find the solution using just the public key,
although it is easy to check the answer using it.
 PKC progress…
 Since 1976, many PKC have been proposed. Many of
these are broken and proven to be insecure.
 Among the ones that are considered secure, many are
impractical because of either large key or large message
expansion.
 PKC algorithms are, however, all slow and unsuitable when
fast encryption is needed. However, they can provide high
security and can be used when low processing rates are
acceptable or when high security is needed.
 Remember that a PKC can be used for:
– confidentiality (secrecy).
– authentication (digital signatures).
 Two algorithms that can easily be used for both secrecy
and authentication are RSA and ElGamal.
– We are going to look at RSA next.
 CSCI361
Computer Security

Public Key Cryptography II

RSA
 Outline
 RSA.
– Encryption and decryption.
 Using RSA.
 Choosing p and q.
 Implementation considerations.
 Some comments on factoring.
 Finding and testing primes.
 Fast exponentiation.
 Assessing the security of RSA.
RSA
 The RSA Public--Key Cryptosystem (Rivest, Shamir
and Adleman (1978)) is the most popular and
versatile PKC.

 It is the de facto standard for PKC.

 It supports secrecy and authentication and can be
used to produce digital signatures.
 RSA uses the knowledge that it is easy to find primes
and multiply them together to construct composite
numbers, but it is difficult to factor a composite
number.
The Euler phi Function
For n  1, (n) denotes the number of integers in the interval [1, n]
which are relatively prime to n. The function  is called the Euler phi
function (or the Euler totient function).

Fact 1. The Euler phi function is multiplicative, i.e. if gcd(m, n) = 1, then

(mn) = (m) x (n).
Fact 2. For a prime p and an integer e  1, (pe) = pe-1(p-1).

• From these two facts, we can find  for any composite n if the prime
factorization of n is known.
The Euler phi Function
 (n)  {x : 1  x  n and gcd( x,n)  1}

• (2) = |{1}| = 1
• (3) =|{1,2}| = 2
• (4) = |{1,3}| = 2
• (5) = |{1,2,3,4}| = 4
• (6) = |{1,5}| = 2

• (37) = 36
• (21) = (3–1)×(7–1) = 2×6 = 12
 The algorithm
1. Choose two primes p and q. Compute n = pq and
m=(n)= (p-1)(q-1).
• (n) is Euler’s totient function: It is the number of positive
integers less than n that are relatively prime to n.
2. Choose e, 1  e  m - 1, such that gcd(e,m)=1.
3. Finds d such that ed=1 mod m.
• This is possible because of the choice of e.
• d is the multiplicative inverse of e modulo m and can be
found using the extended Euclidean (gcd) algorithm.
4. The Public key is (e, n).
The Private key is (d, p, q).
 Encryption and decryption
 Let X denote a plaintext block, and Y denote the
corresponding ciphertext block.
 Let (zA, ZA) denote the private and public components of
Alice's key.

 If Bob want to encrypt a message X for Alice. He uses

Alice's public key and forms the cryptogram:
Y = EZA(X) = Xe mod n

 When Alice wants to decrypt Y, she uses the private

component of her key zA=(d,n) and calculates
X=DzA(Y) = Yd mod n

 X and Y are both integers in {0, 1, 2, …, n-1}.

 Example: Choose p=11 and q=13.
n=11*13=143
m=(p-1)(q-1)=10*12=120
e=37  gcd(37,120)=1

Using the gcd algorithm we find d such that

ed=1 mod 120; d=13  de=481.
X,Y{0,1,…,142}
 To encrypt: Break the input binary string
into blocks of u bits, where 2u142, so we
choose u=7.
In general there is some agreed padding scheme from the message
space into the space on which a “single run” of the cipher can act.
Optimal Asymmetric Encryption Padding (OAEP) is often used.
 For each 7-bit block X, a number between 0
and 127 inclusive, we calculate the
ciphertext as Y=Xe.
 For X=2=(0000010) we have
EZ(X)=X37=12 (mod 143)  Y=0001100
 To decrypt: X=DZ(Y)=1213=2 (mod 143)
An RSA public directory

User (n,e)
Alice (85,23)
Bob (117,5)
Fred (4757,11)
 An important property of the RSA algorithm is that
encryption and decryption are the same function:
both exponentiation modulo n.

EZA(DzA(X)) = X

 Example:
– First decrypt: 213= 41 mod 143
– Then encrypt: 4137=2 mod 143

 This is the basis of using RSA for authentication.

 Using RSA
 The RSA system can be used for:
1. Confidentiality: To hide the content of a message X, A
sends EZB(X) to B.
2. Authentication: To ensure integrity of a message X,
– Alice signs the message by using her decryption key to
form DzA(X) and sends (X, DzA(X)) = (X, S) to Bob.
– When Bob wants to verify the authenticity of the
message:
• He computes X‘ = EZA(S).
• If X'=X the message is accepted as authentic and from Alice.
– Both message integrity and sender authenticity are
verified.
• This is true because even one bit change to the message can be
detected, and because zA is known only to Alice.
– This method is inefficient. We will see later that Alice may
compute a hash value of X and then apply DzA to the
result.
– We will talk about Digital Signatures later anyway.
3. Secrecy and authentication:
• If we need secrecy and authentication the
following can be used:
• A sends Y=EZB (DzA(X)) to B.
• B recovers
X=EZA(DzB(Y))
This scheme provides non-repudiation if Bob
holds on to DzA(X). That is, Bob is protected
against Alice trying to deny sending the
message.
 Choosing p and q
 The main conditions on p and q are:
– They must be at least 100 decimal digits long (about
330 bits).
– They must be of similar say, say both 100 digits.

 To choose each number the user does the

following:
– Randomly choose a random number b which is 100
digits long, or whatever length is appropriate.
– Checks to see if b is prime. Usually using a probabilistic
primality testing algorithm.
– If b is not prime, choose another value for b.
RSA implementation considerations

 Relative to DES or AES;

– RSA is a much slower algorithm.
– RSA has a much larger secret key.
 Storage of p and q requires about 330 bits each, n is
about 660 bits.
 Exponentiation is relatively slow for large n, especially in
software.
 It can be shown that multiplication needs m + 7 clock
pulses if n is m-bits in length.

 Approximate relative speeds (this is a few years old!)

– Hardware: n is 507 bits: 220 kbits/sec
– Software: n is 512 bits: 11 kbits/sec
 Some comments on factoring

 The most powerful known (pretty much

general purpose) factoring algorithm is the
general number field sieve.
 It uses
 1
2 
  64  3 
O exp log n  (log log n) 3 
  9  
 

steps to factor a number n.

 One of the best factoring results is for a 663-
bit number (RSA-200). This was factored
using a general number field sieve
(announced May 9 2005). This took several
months of work undertaken by a system of
80 AMD Opteron processors (~2.6GhZ).

 Today for sensitive applications, a 1024 bit

modulus, and in some cases a 2048 bit
modulus, are considered necessary.
 Finding primes
 An algorithm to generate all primes does not exist.

 However, given a number n, there exist efficient algorithms

to check whether it is prime or not. Such algorithms are
called primality testing algorithms.
 As mentioned earlier, prime generation for RSA is basically
just a matter of guessing and testing.

 Primality Testing: Deterministic algorithms for proving

primality are non-trivial and are only advisable on high
performance computers. Probabilistic tests allow an
educated guess as to whether a candidate number is prime
or not.
– This means that the probability of the guess being wrong can be
made arbitrarily small.
 Lehman’s test
 Let n be an odd number. For any number a
define n 1
e(a, n)  a 2 mod n
G  {e(a, n) : a  Z n
*

where Zn*={1,2,…,n-1}.
 Example: n=7
23=1, 33=6, 43=1, 53=6, 63=6  G={1,6}
 Lehman’s theorem:
If n is odd, G={1,n-1} if and only if n is prime.
Example: n=15 isn’t prime: (n-1)/2=7
27=8 mod 15, 37=12 mod 15

Example: n=13 (prime): (n-1)/2=6

26=-1 mod 13, 36=1 mod 13, 46=1 mod 13,
56=-1 mod 13, 66=-1 mod 13, 76=-1 mod 13,
86=-1 mod 13, 96=1 mod 13, 106=1 mod 13,
116=1 mod 13, 126=1 mod 13.
 Thus, we have the following test:
if (gcd(a,n) >1) return(‘composite’)
else
if (a(n-1)/2=1) or (a(n-1)/2=-1)
return(‘prime_witness’)
else
return(‘composite’)

If for a given n the test returns prime_witness for 100

randomly chosen a, then the probability of n not
being not prime (i.e. being a composite disguised
as a prime) is less than 2-100.
 Fast exponentiation
 Exponentiation can be performed by
repeated multiplication. In general, we can
use the square and multiply technique.
 To calculate X:
1. Write  in base two:
= 020+ 121+ 222+… n-12n-1;
i
2. Calculate X ,
2 1 i n-1.
 0  1  n-1 
3. Use X =(X ) *(X ) …(X ) n-1 and
2 0 2 1 2

Multiply the X2 for which i is not zero.

i
 A partial example: n=179, e=73.
X=2  Y=273 mod 179.
73=64+8+1=26+23+20
Y=264+8+1=264*28*21
This is only a partial example because we haven’t
looked at calculated the elements of the last line.

Precomputation:
X2=X*X
2
X = X =X2*X2
4 2 This is a total of n-1
… multiplications, all
n-1 n-2
X2 = X2 * X2
n-2
mod N
 Example: N=1823, n=log21822=11.
– Calculate Y=5375 mod N
 Precomputation:
X1 5 X2 25 X4 625
X8 503 X16 1435 X32 1058
X64 42 X128 1764 X256 1658
X512 1703 X1024 1639
 Never store a number larger than N!
 Never multiply two numbers large than N!
375=256+64+32+16+4+2+1.
5375=5*25*625*1435*1058*42*1658
= 591 mod 1823
There are various other tricks for calculating powers
too, but we aren’t going to look at them here!
A weakness in RSA
 In RSA not all the messages are concealed,
i.e. the plaintext and ciphertext are the same.
 Example: n=35=5*7, m=4*6.
 X=8.
 Y=85 mod 35=8

 For any key, at least 9 messages will not be

concealed. But for n  200 or so, this is not
important.
 However if e is poorly chosen, less than
50% of the messages are concealed.
 Example: n=35, e=17.
{1,6,7,8,13,14,15,20,21,22,27,28,29,34} are
not concealed. 
It is less likely that a system will have this
problem if the primes are safe.
A prime is safe if p=2q+1, where q is a
prime itself.
 Assessing the security of RSA
 The security of the private component of a key
depends on the difficulty of factoring large integers.
 Justification:
– Let Z=(e,n). If n can be factorised then an attacker can
find
• n=pq
• m=(p-1)(q-1)
– … and use the gcd algorithm to find the private key, d=e-
1 mod m.

 No efficient algorithm for factoring is known.

 So knowing n = pq does not yield p or q.

 This implies that m=(p-1)(q-1) cannot be found and
d cannot be computed.
 Finding secret exponent: If an attacker knows X
and Y= Dz(X) to find d they must solve
X = Yd mod n or d= logYX

 Finding plaintext: If the attacker knows Y and e to

determine X they must take roots modulo a
composite number: i.e. they need to solve Y = Xe.

 It is important to note that the security of RSA is not

provably equivalent to the difficulty of factoring. That
is, it might be possible to break RSA without factoring
n.
 Important attacks
 It is sufficient for the cryptanalyst to compute (n).
 Knowledge of n and (n) gives two equations:

n = pq
(n) = (p-1)(q-1)

This system can be solved, for p say, by solving a

quadratic equation:
p2-(n-(n)+1)p+n=0
 Some equivalent results:
– Any algorithm that can compute the
decryption exponent can be used as a
subroutine in a probabilistic algorithm that
factors n.
– Any algorithm that computes parity(Y) can
be used as a subroutine in an algorithm
that computes the plaintext X.
 Weak implementations

 Some implementations allow attacks:

1. Common modulus attack: Consider a group of
users who’s public keys consists of the same
modulus and different exponents.
– If an intruder intercept two cryptograms where
• They are encryptions of the same message with different
keys.
• The two encryption exponents do not have any common
factor. Then the attacker can find the plaintext.
 Let us consider why:

 The enemy knows e1, e2, N, Y1 and Y2, and furthermore that
Y1= Xe1mod N and Y2=Xe2 mod N

 Since e1 and e2 are relatively prime, the Extended

Euclidean algorithm can be used to find a and b such that
ae1+ be2 =1.

But then Y1aY2b = Xae1*Xbe2 = Xae1+be2=X

 Using a common modulus among a number of

participants is not advisable!
2. Low exponent attack: If the encryption exponent
is small, encryption and signature verification will
be faster.
• However, if the enemy can find e(e+1)/2 linearly
independent messages encrypted (signed) with the
same exponent, then they can also find the message.
The attack does not work if the messages are
unrelated.
• Pad messages with random strings to ensure that they
are not dependent.
3. Low decryption exponent: If the decryption
exponent is less that N/4 and e<N then d can be
found.
 RSA in real-life
1. If there is a small range of possible messages,
– For example, messages are numbers between 0
and 1,000,000.
– Then given a ciphertext, the plaintext can be found
by exhaustively searching all plaintext.
2. The Multiplicative property of RSA can be used
to find the plaintext.

C1 = m1e mod N
C2 = m2e mod N
C1C2 = m1e m2e = (m1m2)e mod N
 An attack against RSA
 Suppose m is l bits, m  2l.
 Suppose m=m1m2 m1, m2  2l/2.
 The attacker knows c=m1em2e mod N
 … and builds a sorted database:
{1e, 2e, 3e,…,(2l/2)e} mod N
 For a given c, the attacker searches the
database for c/ie=je mod N.
 This will take at most 2l/2 steps.
 The cost if 2l/2log N space is affordable is…
 l / 21  l 
O 2 *   log N  
3

 2 